Changeset 432
- Timestamp:
- 03/27/06 00:09:08 (3 years ago)
- Files:
-
- nepenthes/trunk/modules/shellcode-signatures/Makefile.am (modified) (1 diff)
- nepenthes/trunk/modules/shellcode-signatures/sch_namespace_connectbackfiletransfer.cpp (added)
- nepenthes/trunk/modules/shellcode-signatures/sch_namespace_connectbackfiletransfer.hpp (added)
- nepenthes/trunk/modules/shellcode-signatures/sch_namespace_linkxor.cpp (added)
- nepenthes/trunk/modules/shellcode-signatures/sch_namespace_linkxor.hpp (added)
- nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp (modified) (3 diffs)
- nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (27 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
nepenthes/trunk/modules/shellcode-signatures/Makefile.am
r429 r432 20 20 shellcodesignatures_la_SOURCES += sch_namespace_execute.cpp sch_namespace_execute.hpp 21 21 shellcodesignatures_la_SOURCES += sch_namespace_url.cpp sch_namespace_url.hpp 22 shellcodesignatures_la_SOURCES += sch_namespace_linkxor.cpp sch_namespace_linkxor.hpp 23 shellcodesignatures_la_SOURCES += sch_namespace_connectbackfiletransfer.cpp sch_namespace_connectbackfiletransfer.hpp 22 24 23 25 shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp
r429 r432 44 44 #include "sch_namespace_execute.hpp" 45 45 #include "sch_namespace_url.hpp" 46 #include "sch_namespace_linkxor.hpp" 47 #include "sch_namespace_connectbackfiletransfer.hpp" 46 48 47 49 #include "ShellcodeManager.hpp" … … 134 136 135 137 case sc_linkxor: 138 sch = new NamespaceLinkXOR(sc); 136 139 break; 137 140 … … 147 150 148 151 case sc_connectbackfiletransfer: 152 sch = new NamespaceConnectbackFiletransfer(sc); 149 153 break; 150 154 nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc
r430 r432 6 6 [n] [+] 1) GenericCreateProcess generic CreateProcess decoder 7 7 [n] [+] 2) GenericUrl generic Url decoder 8 [ +] [] 3) LinkXOR link-bot XOR decoder8 [n] [+] 3) LinkXOR link-bot XOR decoder 9 9 [n] [+] 4) GenericCMD generic CMD decoder 10 [ +] [] 5) LinkTrans handles linkbot/linkshellcode connectback transfers10 [n] [+] 5) LinkTrans handles linkbot/linkshellcode connectback transfers 11 11 [+] [ ] 6) LinkBindTrans handles linkbot/linkshellcode bind transfers 12 [ +] [] 7) Stuttgart handles "stuttgart" shellcode12 [n] [+] 7) Stuttgart handles "stuttgart" shellcode 13 13 [s] [ ] 8) Wuerzburg handles "wuerzburg" shellcode 14 14 [n] [+] 9) GenericBind various bindshells 15 15 [n] [+] 10) GenericConnect various bindshells 16 16 [n] [ ] 11) KonstanzXOR Konstanz XOR decoder 17 [n] [ 17 [n] [+] 12) GenericConnectTrans various csends 18 18 [?] [ ] 13) GenericUniCode generic UniCode decoder 19 19 [n] [+] 14) GenericWinExec generic WinExec decoder … … 22 22 [?] [ ] 17) ASN1IISBase64 handles oc192 dcom bindshell 23 23 [a] [ ] 18) ASN1SMBBind handles oc192 dcom bindshell 24 [ s] [] 19) THCConnect handles thc iis connectbackshells25 [ a] [ ] 20) THCBind handles thc iis bindshells26 [ s] [] 21) HODBind handles oc192 dcom bindshell27 [ s] [] 22) HODConnect handles oc192 dcom bindshell28 [ s] [] 23) HODBind handles house of dabus msmq bindshells29 [ a] [] 24) HODBind handles house of dabus netdde bindshells30 [ a] [] 25) HODConnect handles house of dabus netdde bindshells31 [ s] [] 26) MandragoreBind mandragore sasserftpd bondshells32 [ s] [] 27) MandragoreConnect mandragore sasserftpd bondshells24 [n] [+] 19) THCConnect handles thc iis connectbackshells 25 [ ] [ ] 20) THCBind handles thc iis bindshells 26 [n] [+] 21) HODBind handles oc192 dcom bindshell 27 [n] [+] 22) HODConnect handles oc192 dcom bindshell 28 [n] [+] 23) HODBind handles house of dabus msmq bindshells 29 [n] [+] 24) HODBind handles house of dabus netdde bindshells 30 [n] [+] 25) HODConnect handles house of dabus netdde bindshells 31 [n] [+] 26) MandragoreBind mandragore sasserftpd bondshells 32 [n] [+] 27) MandragoreConnect mandragore sasserftpd bondshells 33 33 [n] [+] 28) HATSQUADConnect handles hat-squad wins connect 34 34 [n] [+] 29) HATSQUADBind handles hat-squad wins bindshell 35 [ s] [ ] 30) ZUCConnect handles zuc wins connect35 [+] [+] 30) ZUCConnect handles zuc wins connect ( dupe of 19)) 36 36 =--- 31 ShellcodeHandlers registerd 37 37 38 */ 38 39 … … 178 179 }; 179 180 181 /* 182 * too inaccurate 183 * 180 184 xor::mwcollect 181 185 { … … 184 188 mapping (none,pre,pcre,size,key,post); 185 189 }; 186 190 */ 187 191 188 192 xor::hod … … 211 215 pattern 212 216 "\\xEB\\x15\\xB9(....)\\x81\\xF1(....)\\x5E\\x80\\x74\\x31\\xFF(.)\\xE2\\xF9\\xEB\\x05\\xE8\\xE6\\xFF\\xFF\\xFF(.*)"; 213 mapping ( key,key,size);217 mapping (none,size,size,key,post); 214 218 }; 215 219 … … 258 262 "\\x57\\xF8"; 259 263 260 mapping ( port);264 mapping (none,port); 261 265 }; 262 266 … … 298 302 "\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0"; 299 303 */ 300 mapping ( port);304 mapping (none,port); 301 305 }; 302 306 … … 312 316 "\\x31\\xFF\\x56\\xD2\\x8B\\xC8\\xFF\\x76\\xBE\\xFF\\x56\\xD6\\xEB\\x9E\\xFF\\x56\\x14"; 313 317 314 mapping ( port);318 mapping (none,port); 315 319 }; 316 320 … … 326 330 "\\x53\\xFF\\x57\\xE4\\x50\\xFF\\x57\\xE8"; 327 331 328 mapping ( port);332 mapping (none,port); 329 333 }; 330 334 … … 340 344 "\\xFF\\x56\\x0C\\x8B\\xC8\\x57\\xFF\\x56\\x2C\\xFF\\x56\\x14"; 341 345 342 mapping ( port);346 mapping (none,port); 343 347 }; 344 348 … … 363 367 "\\x64\\xFF\\xD6\\x52\\xFF\\xD0\\x68\\xEF\\xCE\\xE0\\x60\\x53\\xFF\\xD6\\xFF\\xD0"; 364 368 365 mapping ( port);369 mapping (none,port); 366 370 }; 367 371 … … 386 390 "\\x53\\x53\\x55\\xFF\\x55\\xEC\\x6A\\xFF\\xFF\\x55\\xE0"; 387 391 388 mapping ( port);392 mapping (none,port); 389 393 }; 390 394 … … 403 407 "\\xC7\\x47\\x2C\\x01\\x01\\x00\\x00\\x83\\xC7\\x38\\x93\\xAB\\xAB\\xAB\\x64\\x67\\xA1\\x30\\x00\\x8B" 404 408 "\\x40\\x0C\\x8B\\x40\\x1C\\x8B\\x00\\xFF\\x70\\x08\\xFF\\x16\\xFF\\xD0\\xEB"; 405 mapping ( port);409 mapping (none,port); 406 410 }; 407 411 … … 544 548 "\\xc7\\x02\\x63\\x6d\\x64\\x00\\x52\\x50\\xff\\x57\\xe8\\xc7\\x07\\x02\\x00(..)\\xc7\\x47\\x04" 545 549 "(....)\\x6a\\x10\\x57\\x53\\xff\\x57\\xf8\\x53\\xff\\x57\\xfc\\x50\\xff\\x57\\xec"; 546 mapping ( port,host);550 mapping (none,port,host); 547 551 }; 548 552 … … 553 557 "\\xff\\xd0\\x68(....)\\x66\\x68(..)\\x66\\x53\\x89\\xe1\\x95\\x68\\xec\\xf9\\xaa\\x60\\x57\\xff\\xd6" 554 558 "\\x6a\\x10\\x51\\x55\\xff\\xd0"; 555 mapping ( host,port);559 mapping (none,host,port); 556 560 }; 557 561 … … 576 580 "\\xFF\\xD0\\x68\\xE7\\x79\\xC6\\x79\\xFF\\x75\\x04\\xFF\\xD6\\xFF\\x77\\xFC\\xFF\\xD0\\x68\\xEF\\xCE" 577 581 "\\xE0\\x60\\x53\\xFF\\xD6\\xFF\\xD0"; 578 mapping ( host,port);582 mapping (none,host,port); 579 583 }; 580 584 … … 594 598 "\\x50\\xFF\\x57\\xEC\\xC7\\x07\\x02\\x00(..)\\xC7\\x47\\x04(....)\\x6A\\x10\\x57\\x53\\xFF\\x57\\xFC" 595 599 "\\x50\\xFF\\x57\\xF0"; 596 mapping ( port,host);600 mapping (none,port,host); 597 601 }; 598 602 … … 612 616 "\\x48\\x89\\x5C\\x24\\x4C\\x89\\x5C\\x24\\x50\\x8D\\x44\\x24\\x10\\x54\\x50\\x51\\x51\\x51\\x6A\\x01" 613 617 "\\x51\\x51\\xFF\\x76\\x30\\x51\\xFF\\x56\\x08\\x53\\xFF\\x56\\x1C\\xFF\\x56\\x0C"; 614 mapping ( host,port);618 mapping (none,host,port); 615 619 }; 616 620 … … 625 629 "\\x8B\\xFD\\xF3\\xAB\\x5F\\xC7\\x45\\x00\\x44\\x00\\x00\\x00\\x89\\x5D\\x3C\\x89\\x5D\\x38\\x89\\x5D" 626 630 "\\x40\\xC7\\x45\\x2C\\x01\\x01\\x00\\x00\\x8D\\x45\\x44"; 627 mapping ( host,port);631 mapping (none,host,port); 628 632 }; 629 633 … … 646 650 "\\x79\\xc6\\x79\\xff\\x75\\x04\\xff\\xd6\\xff\\x77\\xfc\\xff\\xd0\\x68\\xf0\\x8a\\x04\\x5f\\x53\\xff" 647 651 "\\xd6\\xff\\xd0"; 648 mapping ( host,port);652 mapping (none,host,port); 649 653 }; 650 654 … … 672 676 "\\xC6\\x79\\xFF\\x75\\x04\\xFF\\xD6\\xFF\\x77\\xFC\\xFF\\xD0\\x68\\xEF\\xCE\\xE0" 673 677 "\\x60\\x53\\xFF\\xD6\\xFF\\xD0"; 674 mapping ( host,port);678 mapping (none,host,port); 675 679 }; 676 680 … … 736 740 "\\x00\\xE8\\x9C\\xFE\\xFF\\xFF\\x00\\x00\\x00\\x00(....)(..)\\x77\\x73\\x32\\x5F\\x33\\x32\\x00\\x57" 737 741 "\\x53\\x41\\x53\\x74\\x61\\x72\\x74\\x75\\x70\\x00\\x73\\x6F\\x63\\x6B\\x65\\x74\\x00"; 738 mapping ( host,port);742 mapping (none,host,port); 739 743 /* 740 744 * the first 4 bytes of the transferr are the file size … … 746 750 }; 747 751 748 752 // taken from shellcode-generic/sch_generic_link_trans.cpp 753 connectbackfiletransfer::linktransfer 754 { 755 pattern 756 ".*\\x53\\x53\\x68(....)\\x68\\x02\\x00(..)\\x8B\\xD4\\x8B\\xD8\\x6A" 757 // ^^^^->ip ^^-> port 758 "\\x10\\x52\\x53\\xBA\\x63\\x30\\x60\\x5A\\xFF\\xD6\\x50\\xB4\\x02\\x50\\x55\\x53\\xBA" 759 "\\x00\\x58\\x60\\xE2\\xFF\\xD6\\xBF(....)\\xFF\\xE5.*"; 760 // ^^^^-> auth key 761 mapping(none,host,port,key); 762 }; 763 764 765 // taken from shellcode-generic/sch_generic_stuttgart.cpp 766 connectbackfiletransfer::stuttgart 767 { 768 pattern 769 "\\x50\\x50\\x68(....)\\x68\\x02\\x00" 770 "(..)\\x8B\\xFC\\x50\\x6A\\x01\\x6A\\x02\\xFF" 771 "\\x55\\x20\\x8B\\xD8\\x6A\\x10\\x57\\x53\\xFF\\x55" 772 "\\x24\\x85\\xC0\\x75\\x59\\xC7\\x45\\x00(....)" 773 "\\x50\\x6A\\x04\\x55\\x53\\xFF\\x55\\x2C"; 774 mapping(none,host,port,key); 775 }; 776 777 778 /* 779 // taken from shellcode-generic/sch_generic_link_bind_trans.cpp 780 bindfiletransfer::bindlinktransfer 781 { 782 pattern 783 "\\xba\\x83\\x53\\x83\\x00\\xff\\xd6\\x53\\x53\\x53\\x68\\x02\\x00" 784 "(..)\\x8b\\xd4\\x8b\\xd8\\x6a\\x10\\x52\\x53\\xba\\x00\\x90" 785 "\\xa6\\xc2\\xff\\xd6\\x40\\x50\\x53\\xba\\x7a\\x3b\\x73\\xa1\\xff" 786 "\\xd6\\x50\\x50\\x53\\xba\\x10\\xd3\\x69\\x00\\xff\\xd6\\x8b\\xd8" 787 "\\x33\\xc0\\x50\\xb4\\x02\\x50\\x55\\x53\\xba\\x00\\x58\\x60\\xe2" 788 "\\xff\\xd6\\xbf(....)\\xff\\xe5"; 789 790 mapping (none,port,key); 791 }; 792 */ 749 793 750 794 … … 777 821 "\\x8B\\x40\\x34\\x05\\x7C\\x00\\x00\\x00\\x8B\\x68\\x3C\\x5F\\x31\\xF6\\x60\\x56\\xEB\\x0D\\x68\\xEF" 778 822 "\\xCE\\xE0\\x60\\x68\\x98\\xFE\\x8A\\x0E\\x57\\xFF\\xE7\\xE8\\xEE\\xFF\\xFF\\xFF(.*\\x00)"; 779 mapping ( command);823 mapping (none,command); 780 824 }; 781 825 … … 790 834 pattern 791 835 ".*(wget.*)$"; 792 mapping( command);836 mapping(none,command); 793 837 }; 794 838 … … 799 843 pattern 800 844 ".*(curl.*)$"; 801 mapping( command);845 mapping(none,command); 802 846 }; 803 847 … … 808 852 pattern 809 853 ".*((http|https|ftp):\/\/[@a-zA-Z0-9\-\/\\\.\+:]+).*"; 810 mapping (uri); 811 }; 812 813 814 815 // taken from shellcode-generic/sch_generic_link_trans.cpp 816 connectbacklinkfiletransfer::linktransfer 817 { 818 pattern 819 ".*\\x53\\x53\\x68(....)\\x68\\x02\\x00(..)\\x8B\\xD4\\x8B\\xD8\\x6A" 820 // ^^^^->ip ^^-> port 821 "\\x10\\x52\\x53\\xBA\\x63\\x30\\x60\\x5A\\xFF\\xD6\\x50\\xB4\\x02\\x50\\x55\\x53\\xBA" 822 "\\x00\\x58\\x60\\xE2\\xFF\\xD6\\xBF(....)\\xFF\\xE5.*"; 823 // ^^^^-> auth key 824 mapping(host,port,key); 825 }; 826 827 828 // taken from shellcode-generic/sch_generic_stuttgart.cpp 829 connectbacklinkfiletransfer::stuttgart 830 { 831 pattern 832 "\\x50\\x50\\x68(....)\\x68\\x02\\x00" 833 "(..)\\x8B\\xFC\\x50\\x6A\\x01\\x6A\\x02\\xFF" 834 "\\x55\\x20\\x8B\\xD8\\x6A\\x10\\x57\\x53\\xFF\\x55" 835 "\\x24\\x85\\xC0\\x75\\x59\\xC7\\x45\\x00(....)" 836 "\\x50\\x6A\\x04\\x55\\x53\\xFF\\x55\\x2C"; 837 mapping(host,port,key); 838 }; 839 840 841 // taken from shellcode-generic/sch_generic_link_bind_trans.cpp 842 bindlinkfiletransfer::bindlinktransfer 843 { 844 pattern 845 "\\xba\\x83\\x53\\x83\\x00\\xff\\xd6\\x53\\x53\\x53\\x68\\x02\\x00" 846 "(..)\\x8b\\xd4\\x8b\\xd8\\x6a\\x10\\x52\\x53\\xba\\x00\\x90" 847 "\\xa6\\xc2\\xff\\xd6\\x40\\x50\\x53\\xba\\x7a\\x3b\\x73\\xa1\\xff" 848 "\\xd6\\x50\\x50\\x53\\xba\\x10\\xd3\\x69\\x00\\xff\\xd6\\x8b\\xd8" 849 "\\x33\\xc0\\x50\\xb4\\x02\\x50\\x55\\x53\\xba\\x00\\x58\\x60\\xe2" 850 "\\xff\\xd6\\xbf(....)\\xff\\xe5"; 851 852 mapping (port,key); 853 }; 854 855 854 mapping (none,uri); 855 }; 856 857 858 859 860
